[Pkg-freeipa-devel] [Git][freeipa-team/jss][master] 27 commits: Support LD_FLAGS from environment

Timo Aaltonen gitlab at salsa.debian.org
Mon Sep 9 21:48:32 BST 2019 


Timo Aaltonen pushed to branch master at FreeIPA packaging / jss


Commits:
731b62d4 by Alexander Scheel at 2019-06-17T13:02:26Z
Support LD_FLAGS from environment

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
88fa55a9 by Alexander Scheel at 2019-06-17T14:13:47Z
Add additional error handling functions

PR_GetErrorText doesn't return useful information all the time;
PR_ErrorToName always returns the constant name when possible.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
de594c30 by Alexander Scheel at 2019-06-19T10:56:22Z
Wrap SSL_ConfigServerCert

SSL_ConfigServerCert (exposed as jss.nss.SSL.ConfigServerCert) is the
more modern form of SSL_ConfigSecureServer. Implement the wrapper with
no additional data (i.e., default configuration) and test it. Also test
ECDSA signed certificates in both C and Java BufferPRFD test suites.

Deprecate SSL_ConfigSecureServer as well.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
182add54 by Alexander Scheel at 2019-06-19T13:38:31Z
Return String in jss.nss.PR error text functions

GetErrorText() and ErrorToName(...) previously returned byte[]; return
String as they're most likely to be used in conjunction with other
Strings.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
e6638fd2 by Alexander Scheel at 2019-06-24T12:38:57Z
Switch to SSL_ConfigServerCert

In SSLServerSocket, we use the deprecated form, SSL_ConfigSecureServer.
Switch to using the newer form, SSL_ConfigServerCert. This also saves us
a call to check the KEA usage.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
917c41ef by Alexander Scheel at 2019-06-27T20:10:26Z
Add JSS_PK11_wrapCertChain helper

A CERTCertList is roughly equivalent to a PK11Cert[] array. Add a helper
function for wrapping a CERTCertList into a PK11Cert[] jobjectArray
item. This largely mirrors the JSS_PK11_wrapCert helper function.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
0b6924d1 by Alexander Scheel at 2019-06-27T20:10:26Z
Wrap SSL_PeerCertificate, SSL_PeerCertificateChain

These two functions are necessary for introspecting the results of a SSL
handshake with client authentication and useful for SSLSession support.
Adds a test to the TestBufferPRFD method to check their status.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
d634b1ee by Alexander Scheel at 2019-07-15T21:05:29Z
Terminate SSL test cases after too many attempts

When the handshake fails to complete in a certain number of steps,
terminate it. We set this limit as 40 as it should be significantly
larger than the number of required steps (since the buffer limit is at
2048, we'd expect no more than 10 steps, even with a large certificate
or chain).

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
b201d95a by Endi S. Dewata at 2019-07-19T13:07:57Z
Added uncleared password warning

The Password class has been modified to store the location where
it was created initially. If the Password object is garbage
collected without being cleared first, it will display a warning
message showing the location of the offending code.

- - - - -
adc2889a by Endi S. Dewata at 2019-07-19T16:58:16Z
Fixed indentations in MacData constructor.

- - - - -
641a0539 by Endi S. Dewata at 2019-07-19T16:58:16Z
Fixed uncleared password in MacData

The MacData has been modified to call PBEKeyGenParams.clear()
in a finally block to ensure that the password is cleared.

- - - - -
739ed78b by Alexander Scheel at 2019-07-19T18:44:12Z
In FIPS mode, disable non-FIPS tests

Certain tests are guaranteed to fail in FIPS mode. Add an environment
variable, FIPS_ENABLED, to not enable them on CMake. Also support
passing it as a CMake option.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
2007096b by Alexander Scheel at 2019-07-19T18:44:12Z
jss.spec: Auto-set FIPS_ENABLED

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
a1de8685 by Alexander Scheel at 2019-07-19T22:27:07Z
Add alternative HMAC names for JSSProvider

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
c3c69c08 by Alexander Scheel at 2019-07-22T14:39:40Z
Rename HMACTest -> CrossHMACTest

On systems with case-insensitive file systems, cloning will likely fail
as there's two files with the "same" name but different contents:
HmacTest.java and HMACTest.java. Rename the latter, which attempts to
test different providers, to CrossHMACTest.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
18598df6 by Alexander Scheel at 2019-07-22T17:00:37Z
Remove tests/all.pl - old test suite runner

Since 4.5.1, we've replaced the test suite runner with a CMake/ctest
implementation. At this point, we're preferring SSLEngine over
SSLSocket, so keeping the last few remaining test cases in all.pl (that
we're not running anyways) doesn't do much.

tests/all.pl is tracked in the jss archive for historical reference:

https://github.com/dogtagpki/jss-archive/blob/master/org/mozilla/jss/tests/all.pl

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
2ff3bbd0 by Alexander Scheel at 2019-07-24T19:24:37Z
Add enum for Algorithm's PKCS #11 Constants

We need to map PKCS11 Constants between their names and their values and
also between their values and Algorithm identifiers. To do so, we add
PKCS11Algorithm which enumerates identifiers common to both Algorithm
and PKCS11Constants. This will let us call into the NSS API with the
correct constant identifier from PKCS11, when needed.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
694614b1 by Alexander Scheel at 2019-07-24T19:24:37Z
Expose PKCS11Algorithm enum value from Algorithm

Also changes the type of Algorithm's fields from short to int to better
match the underlying type and the type of oidIndex.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
b15d9044 by Alexander Scheel at 2019-07-24T19:36:30Z
Fix SHA1-HMAC in SymmetricKey

In SymmetricKey.java, SHA-1 HMAC was defined as PBA_SHA1_HMAC, a version
of HMAC for extending a password (using a salt) and turning it into a
key. Usually when one requests HMAC, one expects vanilla HMAC; use this
instead. We expose the old SHA1_HMAC (with PBA) as PBA_SHA1_HMAC now.
Note that later SHA-2 and SHA-3 algorithms lack PBA-based HMACs (in PKCS
v2.40 and v3.0 standards).

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
68bd9a70 by Alexander Scheel at 2019-07-25T14:23:14Z
Expose SHA-2 HMAC in SymmetricKey

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
f7405a1e by Robert Förster at 2019-08-07T17:41:02Z
fix typo in JUnit CMake variable

Signed-off-by: Robert Förster <Dessa at gmake.de>

- - - - -
029d0a64 by Alexander Scheel at 2019-08-08T15:42:01Z
Add a few standard Java interfaces when possible

This extends our interfaces to be compatible with the default JDK
interfaces whenever possible. In particular:

 - jss.crypto.SymmetricKey now extends javax.crypto.SecretKey
 - jss.pkcs11.PK11Key now implements java.security.Key

A few clarifying comments have been added where necessary.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
a7786f24 by Alexander Scheel at 2019-08-08T15:45:36Z
Release v4.6.1

This version of JSS has a few enhancements over v4.6.0:

 - Fixed LD_FLAG handling,
 - Extensions to the unfinished org.mozilla.jss.nss interface,
 - Better handling of uncleared passwords (by @edewata),
 - Better test handling in FIPS mode,
 - Changes to SymmetricKey and HMAC handling,
 - Fix typo in JUnit CMake variable (by @Dessa).

Thanks to everyone who contributed to this release!

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
364666ea by Timo Aaltonen at 2019-09-09T20:39:56Z
rules: Print test output on failure.

- - - - -
8200d240 by Timo Aaltonen at 2019-09-09T20:43:28Z
Merge branch 'upstream'

- - - - -
b43b9ad4 by Timo Aaltonen at 2019-09-09T20:43:49Z
bump the version

- - - - -
34145baa by Timo Aaltonen at 2019-09-09T20:47:59Z
releasing package jss version 4.6.1-1

- - - - -


30 changed files:

- CMakeLists.txt
- cmake/JSSConfig.cmake
- cmake/JSSTests.cmake
- debian/changelog
- debian/rules
- jss.spec
- lib/jss.map
- org/mozilla/jss/JSSProvider.java
- org/mozilla/jss/crypto/Algorithm.c
- org/mozilla/jss/crypto/Algorithm.h
- org/mozilla/jss/crypto/Algorithm.java
- org/mozilla/jss/crypto/Cipher.java
- org/mozilla/jss/crypto/KeyGenAlgorithm.java
- + org/mozilla/jss/crypto/PKCS11Algorithm.java
- org/mozilla/jss/crypto/SymmetricKey.java
- org/mozilla/jss/nss/PR.c
- org/mozilla/jss/nss/PR.java
- org/mozilla/jss/nss/SSL.c
- org/mozilla/jss/nss/SSL.java
- org/mozilla/jss/pkcs11/PK11Cert.c
- org/mozilla/jss/pkcs11/PK11Key.java
- org/mozilla/jss/pkcs11/PK11SymKey.java
- org/mozilla/jss/pkcs11/pk11util.h
- org/mozilla/jss/pkcs12/MacData.java
- org/mozilla/jss/ssl/SSLServerSocket.c
- org/mozilla/jss/tests/HMACTest.java → org/mozilla/jss/tests/CrossHMACTest.java
- org/mozilla/jss/tests/TestBufferPRFD.c
- org/mozilla/jss/tests/TestBufferPRFD.java
- org/mozilla/jss/tests/TestPRFD.java
- − org/mozilla/jss/tests/all.pl


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/freeipa-team/jss/compare/02ef7a82a02fb667653e75ee78e83d45f2943937...34145baabfddb1efbc0a78dce219c01bbb852b6b

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/jss/compare/02ef7a82a02fb667653e75ee78e83d45f2943937...34145baabfddb1efbc0a78dce219c01bbb852b6b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20190909/3034279e/attachment-0001.html>

More information about the Pkg-freeipa-devel mailing list